Someone recently asked us what kinds of changes corporations need to implement in terms of cyber security counter measures. This seems like a loaded question, but our answers are simple — focus on people, focus on the human element.
Below are two non-technical suggestions that any organization, of any size from 5 to 500,000, should probably do if they aren’t already doing them. While there are plenty of excellent technical tools, pieces of software and hardware that can no doubt help companies, we want to focus on relatively simple things that can and should be done.
1. Actually have policies and enforce them.
Every organization needs security policies. It doesn’t matter if you have five people or 10,000, your employees need ground rules for their online behavior. Are they allowed to visit social media sites from company networks? Are they allowed to use personal devices for work? How often should they change their account passwords? What about hard copies of sensitive information? How must they be stored? How must they be destroyed? Are they allowed to receive files from clients/vendors or do you have a secure FTP site set up? Do you have a badge policy? Do visitors have to sign in at the front desk or are they allowed to wander the halls unsupervised? What about back up? Are they responsible for their own or does the company handle backup for everyone? What about compliance standards like PCI or HIPAA? Is your organization (and therefore the people within it) held to any of those regulations?
If your employees don’t know the policies, then there will be mistakes. People will transmit unsecured PII. People will say inappropriate things about the company on social media. People will lose important files. People will let unsupervised visitors into sensitive areas. People will behave however THEY think they should, without the organization’s best interest or security in mind.
You must have policies in place. Your employees must KNOW the policies. AND they must know that there are repercussions for not following policies. Maybe a 3 strike system. Maybe a card system (green/yellow/red). Maybe they get docked pay. Something to let them know that when they break the rules (aka policies), they will have to pay the consequences.
Some companies prefer to do a positive reward system, which we’ve seen work in many organizations, that in addition to having some minor negative feedback for breaking policy (no one will get fired but you do get reprimanded), they offer rewards such as $10 gift cards to Starbucks for employees who go out of their way to follow policy and a Secure Employee of the Month competition.
2. Educate your employees
Having policies in place is hugely important but a lot of times policies are written in legalese or technical mumbo jumbo that the average user doesn’t understand. And if they can’t understand it, they won’t do it. So you need to educate your users about the policy — not just what the policy says, but the WHY behind the policy. “Change your password every six months. Do you know why? Because having the same password for too long can make you a weak link in our security and make it that much easier for a bad guy to hack into your account and use your account in a way to damage the company and your role within it.”
It’s even better if you can go beyond policy and educate them about real world cyber security issues, and how those issues relate to their personal life, kids and families. Cyber security is something EVERYONE who uses a mobile device or who has ever been on the internet needs to think about and sadly it’s not part of the public consciousness yet. But it can be — if more companies educate their employees, giving them the foundations of cyber security and focus on the personal aspects of it. Once you’ve got someone to understand the Hows and Whys of protecting their own privacy and securing their own data, then it’s really easy to say, “Hey, remember all that stuff we taught you about privacy and security? Do the same stuff here at work.”
* * *
We, here at The Security Awareness Company, sincerely believe that if you can change people’s mindsets and behavior then you can increase the security within your organizations without needing more technology. Yes, technology will change, but the basic security principles haven’t changed in 20 years and they will continue to grow in importance for all users, at work, at home and on mobile devices. A more educated and security savvy public will help decrease the number of data breaches and dumb security incidents we see in the news, much in the same way that teaching driver safety helps limits accidents. Our cars now have all sorts of bells and whistles to make them safer in addition to the basic seat belts and air bags, but if you have someone who doesn’t know how to drive or doesn’t know (or follow) the rules of the road, the technology doesn’t help. It is the same with security. What good is the technology if the PEOPLE using do so in an unsafe manner?